According to the latest report, it appears that hundreds of thousands or even more Mikrotik enterprise routers have fallen a victim to the CoinHive code. This appears to be a big issue, even thought Mikrotik has patched this vulnerability.
According to Trustware’s research Simon Kenin, one or more attackers have exploited a known vulnerability in Mikrotik’s enterprise routers to inject errors pages with codes that use connecting systems to mine digital currency. Attackers have been running an exploit script to gain access over these routers and then installing a custom page which uses the system power to mine for cryptocoins.
To make things worse, the exploit is not unknown as Mikrotik has already caught the vulnerability and has patched it back in April so the blame falls to administrators, which have been slow to update the bug.
“To MikroTik’s credit, they patched the vulnerability within a day of its discovery, but unfortunately there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,” said Simon Kenin in its post.
While it appears that attacks are currently limited to routers and systems in Brazil, the research shows it is quickly spreading as servers connected to the router also start pushing the code to other web pages.
According to Kenin, the attack works in both directions as it impacts users who are not directly connected to the network but visit websites that are behind these infected routers.
The big problem is that there are currently hundreds of thousands of these devices around the world. Known ISPs, organizations and businesses use these devices and serve at least ten, if not hundreds of users daily.
If you are running a Mikrotik enterprise router, it would be wise to patch it immediately, and the researcher suggests that Mikrotik updates their firmware as soon as possible in order to stop the exploit.